'Neverquest' bank-robber 'ware throws the whole Trick Book at victims

Carberp? ZeuS? Get into the fridge, grandad

Common Topics

A new banking trojan that its creators brag can attack “any bank in any country” has already been blamed for several thousand attempts to infect computers.

The Neverquest banking trojan supports almost every trick used to bypass online banking security systems, including web injection, remote system access and social engineering, Kaspersky Lab warns. Neverquest surfaced on hacker forums during July in an advert looking for a partner to work with the trojan on servers run by a group of cybercriminals.

Months later, variants of the malware matching the design specs started surfacing in active attacks. By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world. Things can only get worse as the fraudsters behind the malware are only just spinning up their malware machine, which might take months to reach its full potential.

Neverquest uses the same self-replication mechanisms as Bredolab, a digital pathogen used as a platform for spam distrubution and scareware scams that caused all sorts of problems when it began spreading back in 2009. At its pre-decapitation peak, Bredolab infected an estimated 30m Windows PCs, so Neverquest's similarity to it is bad news for internet hygiene.

Routines built into Neverquest harvest contact information from a victim's email client. This information is used by cybercriminals to send out mass spam mailings with attachments containing trojan downloaders, designed to install Neverquest. Booby-trapped emails contain malicious zip attachments and are typically designed to look like official notifications from a variety of online services.

Another routine steals FTP passwords associated with websites. This compromised access is then used to plant malicious code (exploit packs) on websites. This creates drive-by download attacks so that surfers visiting the otherwise legitimate site are sprayed with malicious code ultimately designed to plant Neverquest malware on vulnerable PCs using browser exploits and similar attacks.

The crooks behind the malware are aiming to steal a march against their more established rivals who push other banking trojan toolkits such as ZeuS and Carberp, according to security researchers.

“After wrapping up several criminal cases associated with the creation and proliferation of malware used to steal bank website data, a few ‘holes’ appeared on the black market. New malicious users are trying to fill these with new technologies and ideas. Neverquest is just one of the threats aiming to take over the leading positions previously held by programs like ZeuS and Carberp.”

Neverquest steals usernames and passwords to online bank accounts as well as all the data entered by the user into the modified pages of a banking website. Special scripts for Internet Explorer and Firefox are used to enable these thefts, giving the malware control of the browser connection and routing it to the cybercrooks’ command server.

Scripts to enable fraud against German, Italian, Turkish and Indian banks, as well as payment systems, come bundled with the hacker tool. Neverquest also comes with utilities to enable fraudsters to extend the target list.

Kaspersky Lab analysts reckon investment funds from fidelity.com are the top target for the fraudsters behind the malware. Malicious users have the chance not only to transfer funds to their own accounts but also to play the stock market using the accounts and the money of Neverquest victims.

One unusual feature of the malware means fraudsters can conduct transactions and wire money from one compromised account to the accounts of other victims. Normally funds are fraudulently siphoned off from compromised accounts to accounts maintained by money mules in the same country, junior partners in banking fraud scams. These money mules withdraw the money, keeping a small percentage, before using money transfer services such as Western Union to send it to the masterminds behind the scams, who are often based in eastern Europe.

Neverquest is also designed to harvest data to access the accounts of numerous social networking services, including Twitter and Facebook. The malware has yet to use social media to spread, however, according to security researchers at the Russian security firm.

A full write-up on the threat, including screenshot, can be found on a post at Kaspersky Lab's Threatpost blog here. ®